UF cyber – University of Florida Information Technology News

MFA Bombing On the Rise at UF

Posted on January 9, 2023 by tgale@ufl.edu

MFA bombing attacks are increasing at UF. MFA bombing is a tactic used to circumvent your UF account’s multi-factor authentication measures. During an MFA bombing, the attacker uses your stolen username and password to repeatedly send ‘Duo Push’ notifications and/or phone call requests, hoping after multiple notifications you will give up and approve the Duo request. Approval will give the attacker access to your GatorLink account. If an attacker can MFA bomb you with repeated Duo requests, it means your GatorLink password is compromised and the attacker is trying to sign in using the stolen password.

To stop the onslaught of Duo attempts, you’ll need to reset your GatorLink password. Visit the GatorLink Account Management portal, select “Forgot/Reset Your Password,” and follow the prompts after selecting “Self-Service Reset.” You will be asked to provide your UFID, Gatorlink username, and additional information used to verify your identify.

It is important to use “Forgot/Reset Your Password,” and not “Change Your Password,” because the latter requires you to sign in–and you may accidentally approve the attacker’s Duo Push instead of your own requested notification!

The Duo requests should stop soon after resetting your password. (It may take a few moments for the attacker to get kicked out.) For more information on MFA bombing, visit UF’s Information Security website’s MFA bombing page.

Understanding Social Engineering

Posted on January 31, 2022January 31, 2022 by tgale@ufl.edu

Social engineering is the term for exploiting human psychology, rather than traditional hacking techniques, to gain access to buildings, systems, devices, or data. For example, a social engineer might call a UF phone number and pose as an IT support person, trying to trick the employee into divulging passwords. David Maurer in The Big Con writes of 1940s confidence [con] men and how they gained the trust of victims. It’s the same in the 2020s: social engineers want to seem believable whether by email, phone call, text, or in person–they gain the victim’s trust to get what they want. Two types of social engineering techniques are employment scams and tailgaiting:

1. Employment scams are plentiful, and many, if not most, students have received an email advertising a 10 hour per week campus job earning $350 per week. Think twice before clicking on the links in an email advertising a job you didn’t inquire about.
2. Tailgating is when someone enlists your help to gain unauthorized building access. An example is when a person with an armful of packages asks you to open the door with your UFID card since they can’t reach theirs. You naturally want to be helpful, but someone now has access they shouldn’t.

UFIT is launching an updated social engineering webpage this spring. In the meantime, if you suspect an email you receive in your GatorMail may be phishing, report it to abuse@ufl.edu. And remember, Gators…be aware of who you are letting access UF residence halls, academic buildings, and other secure campus spaces.

UF’s Cyber Security Framework Program

Posted on August 12, 2021October 2, 2022 by tgale@ufl.edu

UF’s Information Security Office, in partnership with the Office of Internal Audit and Office of Compliance and Ethics Program, introduced the Cyber Security Framework Program (UFCSF) on July 1. Planned and implemented in response to an audit sponsored by Florida’s Board of Governors, the Cyber Security Framework Program heightens UF’s ability to identify, protect, detect, respond, and ultimately recover from cybersecurity incidents.

The Cyber Security Framework program will provide a high-level view of the operational maturity of units across campus, which are then rolled up into a university-wide maturity rating. This information collected will be used to:

• Develop a unified view of the university’s information security environment
• Discover gaps in enterprise cybersecurity processes and technology
• Create university-wide solutions that reduce risk and increase cybersecurity maturity

The UFCSF program is modeled on the National Institute of Standards and Technology cybersecurity framework and tailored for the university’s OneIT model. Surveys are now being sent quarterly to UF’s 16 colleges and administrative units to evaluate their current processes for protecting computing assets and data, and for assessing risk. More information on the UF’s Cyber Security Framework program is online. Anyone with questions may email the UFCSF program team.

Simple Changes to be More Cybersecure

Posted on September 14, 2020October 2, 2022 by tgale@ufl.edu

Checking the age of your passwords and reviewing an email link or attachment before opening it can go a long way in protecting yourself from a cyber attack. It’s the world we now live in, so here are some reminders that could save you a lot of heartache and financial and/or identity problems:

1. Check before you click.
Never click on links or open attachments without inspecting the email first. With the enormous volume of malicious emails created and sent every day, being cautious is crucial. Always hover over the email address and look for signs of a scam.
2. Protect and update your passwords.
When was the last time you updated your passwords? Experts recommend updating them every 60 days! Not only should you update passwords, but you should use a passPHRASE. The longer your passwords are, the better.
3. Never leave your electronic devices unattended.
As tempting as it is to ask someone to watch your laptop while in Marston, don’t take this risk. Always take your portable items with you, even if it’s just “for a minute” while you are at the reference desk.

For more ways to be cyber aware, read the Psychology of Phishing story on UFIT News or visit the Information Security Office website.